Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Using a custom CA in SSL for Nodejs applications #594

Closed
Ferk opened this Issue Dec 9, 2013 · 4 comments

Comments

Projects
None yet
3 participants

Ferk commented Dec 9, 2013

There's not much documentation about socket.io with SSL. And I couldn't find any option concerning trusted Certificate Authorities.

How can I specify the list of certificate authorities that are trusted when I create a socket from nodejs?

I need to use a custom CA for my nodejs application and I want that only authorized certificates are allowed, the ones coming from my root certificate.

I even acked through the code trying to find anything that might help me, but there's nothing, the only option that can be provided when connecting from the client is the "secure" flag, which mostly just takes care to set the right protocol string in the url in a bunch of places and to set the default port to either 443 or 80.

I assume that this feature is not implemented? where does socket.io-client obtain the list of trusted Certificate Authorities? or if it doesn't, then at which point does it delegate this job to a different layer?

Contributor

rauchg commented Dec 9, 2013

Like I said on the socket.io issue, the best way to approach this would be to allow passing any request related option to the client (for usage from node.js), including the CA options of course.

Ferk commented Dec 10, 2013

Oh, I see. Thanks.

Is there perhaps a way for the socket.io-client to connect using an already existing "tls" object, in a similar way to how the socket.io server can do?

var app = require('tls').createServer(options);
io = require("socket.io").listen(app);

Would it make sense to do something like this for the client too, or am I talking nonsense?

Is there a hack for me to do it currently or would I be better off switching to bare tls?

Contributor

rauchg commented Dec 10, 2013

I think there's a trick you can do by changing the settings of the globalAgent

FruitieX commented Jun 6, 2014

Hey, any updates on this issue now that Socket.IO 1.0 is out?

In my Node.js application I also need Socket.IO-client to accept a custom CA. I tried changing settings of the globalAgent but it seems Socket.IO-client does not use these!

As a side note, my application works when running node with the NODE_TLS_REJECT_UNAUTHORIZED=0 environment variable set, but to my understanding this leaves the application vulnerable to man-in-the middle attacks.

@rauchg rauchg closed this Nov 25, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment